Channels

Services

Security update for Bugzilla

The developers of the Bugzilla open source bug tracking system have released versions 3.2.3 and 3.3.4 to close a cross-site request forgery hole. Bugzilla 3.2.3 is an update to the stable version of Bugzilla, while 3.3.4 is an update for the development branch. The cause of the problem was a vulnerability in the handling of attachment editing. It was found that the attachment.cgi script did not validate HTTP requests to ensure they actually came from Bugzilla.

An attacker would have to have access to a Bugzilla installation and be able to upload an attachment, such as a patch, to be manipulated. For a successful attack, the attacker would need to get the victim to have a browser window open on Bugzilla and to open a malicious web site in another browser window.

The solution has been to introduce a unpredictable token which is checked on every invocation of the attachment. The fix was not possible with earlier versions of Bugzilla as attachment timestamps were not available. The timestamps are used to generate and validate the token.